THIS COULD HAPPEN TO YOU! - TML Conference

sanmarcostx.gov sanmarcostx.gov

An evaluation of the City of San Marcos 2017 phishing

incident that led to the release of 800 employee’s W2s

THIS COULD HAPPEN TO YOU!


• Incident

•Response

•What We Learned


Headline

NEWS


Phishing email led to the

release of 800 current & former

employee’s W2s

Incident


Where it all began….














Red flags


Red flags….


Timeline

Received notice from two employees from

the same department that Turbo Tax rejected their online tax filing

Contacted IRS in reference to

the notice & IT began internal

correlation between two

employees’ computers

IT made Risk Manager aware

of a potential phishing email

that had potentially been

replied to by a City employee

Following business day, received

more notices of online filing rejections

from additional employees in different departments.

IT began an extensive data analysis which

resulted in finding that a response to the phishing email was actually sent to the phisher. Phishing Incident Identified

& City response began


• Cyber Liability coverage – Coverage for data compromise

– Provided expert legal counsel

– Employee Identify Theft Protection

Response


• Provided sample employee communications

• Sample Employee notification language: – Included required wording for Texas residents

– Affected former employees who had relocated out of state

– Provided separate requirements for minors

• Worked with IRS to ‘flag’ affected employees

• Recommended affected individuals file a police

report

Outside Legal Counsel


• Finance

• Human Resources

• Information Technology

• City Manager’s Office

• Communications

• Police

City Response Team


• City Leadership

• Department Staff

• Affected City Employees – Current

– Former

• Interviews with the Media

• Social Media

Communications Get in front of the message


• City Manager’s Office provided initial notification of the incident to employees

• Established an internal single point of contact

• Prepared frequent employee updates

Response


• Cyber Liability Coverage provided one year of

identity theft protection service through online

monitoring

– City added additional 2 years coverage

• All affected employees (current & former) received

notification letters by mail

• Current affected employees received letters in-person

• Computer lab set-up & staffed by City Response Team

for 2 weeks

Identify Theft Protection


• Internal Revenue Service – Online

– In-person

• Employee Assistance Program

Resources


Moving Forward

Steps we have taken to mitigate future incidents

–End User Training

–Email Signatures

–External Source Warning

–O365 Data Loss Prevention Policies

–Online Security Training

–Phishing Test Campaigns


End User Training: In-Person


End User Training: In- Person

Phishing Infosheet.pdf


Awareness Pays Off

…until you hit reply.

O365 sensed fraud


Email Signatures

• Standardization

Benefits:

• Professional appearance

across the organization


External Source Warning


End User Training: Via Email

Phishing SocialEngineeringRedFlagsMS.pdf


Microsoft Office 365

Data Loss Prevention Policies

With a DLP policy we can:

• Identify sensitive information across many locations, such as Office 365 emails, SharePoint Online, and OneDrive for Business.

• Detect sensitive information in message attachments, body text,

or subject lines and adjust the confidence level at which Exchange takes action.

• Prevent the accidental sharing of sensitive information.


Data Loss Prevention Policy Options:

• U.S. Financial Data

• U.S. Gramm-Leach-Bliley Act (GLBA)

• U.S. Health Insurance Act (HIPAA)

• U.S. Patriot Act

• U.S. Personally Identifiable Information (PII) Data

• U.S. State Breach Notification Laws • U.S. State Social Security Number Confidentiality Laws


Data Loss Types

we selected to encrypt:

• Credit Card Number

• U.S. / U.K. Passport Number

• U.S. Bank Account Number

• U.S. Driver's License Number

• U.S. Individual Taxpayer Identification Number (ITIN)

• U.S. Social Security Number (SSN)

• ABA Routing Number

• Drug Enforcement Agency (DEA) Number


Phishing Test Campaigns


Sample Report Phishing Test Campaigns

Reports will show vulnerability

*KnowBe4 graphic


Training Campaigns


Lessons Learned • Assume worst case scenario

• Cyber Liability Coverage

• Single point of contact

• Rapid Response

• Communication, Communication, Communication

– Involve communication department

– Simple, factual and consistent message

– Frequency of message

– Rapidly changing information


–Several employee’s 2017

refunds have not been processed.

–Employees with extensions are

still filing.

–What will employees

experience in filing 2018 taxes?

It’s not over yet…


Questions, Comments

or Concerns?

Heather Hurlbert – Director of Finance [email protected]

Linda Spacek – Director of Human Resources [email protected]

Mike Sturm – Director of Information Technology [email protected]

Documents

THIS COULD HAPPEN TO YOU! - TML Conference